Tools leverage open source AndroRAT remote access tool, which gives a remote attacker control over an infected device

InfoWorld|Jul 17, 2013

Android is earning the dubious distinction as the mobile OS target of choice among malicious hackers and cyber criminals. Now malware developers are starting to cash in Android's insecurity, rolling out tools with which bad guys can repackage and Trojanize legitimate Android apps.

One of the tools is called AndroRat APK Binder. It's selling for $37 on underground forums and is the first of its kind, according to Symantec. As the name suggests, it's built around AndroRat, a free, open source RAT (remote administration tool) with which a remote attacker can control an infected device via a user-friendly control panel. For example, a bad guy can use AndroRAT to monitor and make phone calls and SMS messages, grab the device's GPS coordinates, activate and use the camera and microphone, and access stored files.

The RAT comes in the form of an APK, explained Symantec's Andrea Lelli. "When used in conjunction with the AndroRAT APK binder, it easily allows an attacker with limited expertise to automate the process of infecting any legitimate Android application with AndroRAT, thus Trojanizing the app," she wrote.

When a user installs the Trojanized version of the app, he or she unknowingly installs AndroRAT as well. "This allows the attacker to circumvent elements of the Android security model through deception," according to Lelli.

She noted that Symantec has counted 23 cases of popular legitimate apps in the wild that have been Trojanized with AndroRAT, though she didn't specify which apps or where they're being downloaded.

Symantec has also spotted a commercial Java RAT dubbed Adwind that supports multiple OSes and "seems to be in the process of incorporating an Android module based off the AndroRAT," Lelli wrote.

Thus far, Symantec has seen only several hundred infections of AndroRAT across the globe, mostly in the United States and Turkey. "However, the telemetry is reporting a rise in infection numbers as of late, which we expect will continue as both the availability and sophistication of tools for AndroRAT increase," according to Lelli. "While AndroRAT is not showing a particularly high level of sophistication just yet, with the open source nature of its code and with its popularity growing, it has potential to evolve and grow into a more serious threat."

On a related note, researchers from San Francisco mobile security startup Bluebox Security have found a four-year-old vulnerability in Android with which a malicious hacker can modify any legitimate and digitally signed application, transforming it into a Trojan program. Reps from the company will present on the flaw in greater detail at the Black Hat USA security conference in Las Vegas later this month.